ThreatFire team has busted another “in-the-wild” ZBot trojan.
Interesting detail this time is that the trojan is currently hosted at the server with the IP 220.127.116.11 – this is a web server of “London Escorts & Escort Agencies” and its domain name is escortcitylondon.com.
When run, the trojan downloads an encrypted configuration file from 18.104.22.168. The config file instructs the bot to update itself right from the escort site mentioned above.
The trojan attempts to deactivate a number of AV products and firewalls by deleting their registry keys, terminating the processes and modifying the hosts file.
ZBot attempts to steal the contents of online banking forms of the following banks:
- Bank of America
- Banca Mediolanum
The targeted banking sites can be seen in its memory contents:
Full ThreatExpert report is available here.